Security Experts:

Connect with us

Hi, what are you looking for?



New ‘ToddyCat’ APT Targets High-Profile Entities in Europe, Asia

Kaspersky has detailed the activity of ToddyCat, a relatively new advanced persistent threat (ATP) actor that has been targeting high-profile entities in Europe and Asia for more than a year and a half.

Kaspersky has detailed the activity of ToddyCat, a relatively new advanced persistent threat (ATP) actor that has been targeting high-profile entities in Europe and Asia for more than a year and a half.

Focused on government organizations and military entities, including military contractors, ToddyCat is mainly characterized by the use of the Samurai backdoor and the Ninja trojan, two previously unknown malware families that provide the attackers with remote control over the infected systems.

The first ToddyCat attacks were observed in December 2020, when the threat actor was mainly focused on the servers of three organizations in Taiwan and Vietnam. Starting late February 2021, however, the adversary started targeting multiple organizations in Europe and Asia, exploiting the ProxyLogon Microsoft Exchange vulnerability for initial access.

According to Kaspersky, the group might have exploited ProxyLogon between December 2020 and February 2021 as well, given that it was targeting Exchange servers for initial compromise. The attackers were deploying a China Chopper web shell onto the compromised machines.

After gaining access to vulnerable Exchange servers, ToddyCat would deploy Samurai, a passive backdoor that communicates over ports 80 and 443 and which supports code execution.

Courtesy of its modular architecture, the malware allows the attackers to remotely control the infected machine, exfiltrate files, start proxy connections, and move laterally. The backdoor also employs obfuscation and various other techniques to avoid detection and to hinder analysis.

In some cases, the backdoor was used to launch Ninja, a trojan that could be part of an unknown post-exploitation toolkit exclusive to ToddyCat. Loaded directly in memory, the malware appears to function as a collaborative tool that enables multiple attackers to control the same machine simultaneously and provides support for a broad range of commands.

Based on received instructions, the threat can enumerate and manage running processes, manage the file system, start reverse shell sessions, inject code into processes, load additional modules, and provide proxy functionality. Ninja can also be configured to communicate over multiple protocols and packs various anti-detection features.

Another interesting characteristic of the trojan is a ‘working time’ feature, which allows the attackers to set it to work only within a specific time frame, which helps it avoid detection by behavior-based solutions.

Kaspersky says it has observed numerous ToddyCat campaigns to date, and that starting September 2021, the attackers have been targeting desktop systems in Central Asia with a new set of loaders for the Ninja trojan. The group’s activity continues.

While initial ToddyCat attacks targeted government entities in Taiwan and Vietnam, the group was later observed exploiting the ProxyLogon vulnerability to target entities in Afghanistan, India, Indonesia, Iran, Kyrgyzstan, Malaysia, Pakistan, Russia, Slovakia, Thailand, the United Kingdom, and Uzbekistan.

Although it does not appear connected to other APT groups, ToddyCat’s targets are in countries and industries typically targeted by Chinese-speaking groups. What’s more, Kaspersky discovered that a Chinese-speaking APT using the FunnyDream backdoor had compromised three organizations at the same time as ToddyCat.

However, Kaspersky doesn’t want to merge the ToddyCat and FunnyDream clusters for the time being, mainly given the high profile of the victims, which are undoubtedly of interest to multiple APTs, but also because there’s no evidence that the malware families used by the two groups are interacting with one another.

“ToddyCat is a sophisticated APT group that uses multiple techniques to avoid detection and thereby keeps a low profile. During our investigations we discovered dozens of samples, but despite the number of files and the duration of their activities, we were unable to attribute the attacks to a known group; and there is also quite a bit of technical information about the operations that we don’t have,” Kaspersky concludes.

Related: FamousSparrow Cyberspies Exploit ProxyLogon in Attacks on Governments, Hotels

Related: Chinese Hackers Spotted Targeting Transportation Sector

Related: Report: Chinese Hackers Targeted Southeast Asian Nations

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...